Confluence Security Advisory 2012-09-11

Confluence Security Overview and Advisories

On this page

Still need help?

The Atlassian Community is here for you.

Ask the community

This advisory discloses security vulnerability that we have found and fixed in a recent version of Confluence.

  • Customers who have downloaded and installed Confluence should upgrade their existing Confluence installations to fix this vulnerability.  
  • Enterprise Hosted customers need to request an upgrade by raising a support request. 
  • Atlassian OnDemand and JIRA Studio customers are not affected by any of the issues described in this advisory.

Atlassian is committed to improving product security. The vulnerability listed in this advisory has been discovered by Atlassian, unless noted otherwise. The reporter may also have requested that we do not credit them. 

If you have questions or concerns regarding this advisory, please raise a support request at

In this advisory:

XSS Vulnerability


Atlassian rates the severity level of this vulnerability as High, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank the severity as critical, high, medium or low.
This is an independent assessment and you should evaluate its applicability to your own IT environment. This vulnerability is not of Critical severity.


We have identified and fixed a reflected, or non-persistent, cross-site scripting (XSS) vulnerability that affects Confluence instances, including publicly available instances (that is, Internet-facing servers). XSS vulnerabilities allow an attacker to embed their own JavaScript into a Confluence page when it is viewed by the victim's browser. An attacker does not need an account on Confluence server. A successful attack does not necessarily modify any server content.

We recommend you to read about XSS attacks at Wikipedia, The Web Application Security Consortium and other places on the web before considering specific mitigations for this vulnerability.

This vulnerability affects all versions of Confluence earlier than 4.1.8. It has been fixed in Confluence 4.1.9 and later. This issue can be tracked here:  CONF-26366 - Getting issue details... STATUS

Risk Mitigation

We strongly recommend upgrading your Confluence installation to fix this vulnerability. Please see the 'Fix' section below.

One possible workaround is to block requests to certain URLs before they reach Confluence. HTTP GET requests to any Confluence URLs where the file name is ".vm" should be blocked. For example, if you use Apache web server to front Confluence and your Confluence is under /wiki path, then you can set up the following rules to block XSS attempts:

<LocationMatch ^/wiki/.*\.vm\?.* >
   Deny from all

<LocationMatch ^/wiki/.*\.vm$ >
   Deny from all

We recommend that you read the links above about how XSS attacks work before applying any workarounds. This code is only an example.



The vulnerability and fix version are described in the 'Description' section above.

We recommend that you upgrade to Confluence 4.1.9 or later, if possible. For a full description of the latest version of Confluence, see the release notes. You can download the latest version of Confluence from the download centre.

Update 13 Sep 2012: Patch for Confluence 3.5.x is now available. See the issue   CONF-26366 - Getting issue details... STATUS for patch files and instructions. Please note this patch goes beyond our current Security Patch Policy and you should not expect availability of similar patches in the future. Patching is a measure of last resort when you cannot upgrade.

Our thanks to D. Niedermaier of Intrest SEC who reported the XSS vulnerability described in this advisory. We fully support the reporting of vulnerabilities  and we appreciate it when people work with us to identify and solve the problem.

Last modified on Aug 10, 2016

Was this helpful?

Provide feedback about this article
Powered by Confluence and Scroll Viewport.